Microsoft Malware Protection Center (MMPC) is now Windows Defender Security Intelligence (WDSI). Watch out for even more info about threats and protecting you and your Windows computer.

Ransomware FAQ

Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money
from victims by asking for "ransom," usually in form of cryptocurrencies like Bitcoin, in exchange for access to
data.

What does ransomware do?

Most ransomware today encrypt files using known algorithms like RSA or RC4, or using custom encryption.

Ransomware like Cerber and Locky search for and encrypt target file types, which are usually document and media files. When the encryption is complete,
the malware leaves a ransom note, which can be a text, image, or HTML file with instructions to pay a ransom in
order to recover files.

More sophisticated ransomware like Spora, WannaCrypt,
and Petya add malicious behaviors, such as spreading to other computers in the network via network shares or exploits.

Older ransomware like Reveton don't encrypt files but they lock screens. They do this by displaying an image on full screen and then disabling
Task Manager. Files are safe, but effectively they can't be accessed. The image usually contains a supposed message
from law enforcement that the computer was used in illegal cybercriminal activities and a fine needed to be paid.
Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware."

How does a ransomware infection occur?

A typical ransomware infection can begin with any of the following vectors:

Websites hosting exploit kits, which attempt to exploit vulnerabilities in the browser and other software to
install ransomware

More recent ransomware have worm-like cabilities that enable them to spread to other computers in the network. For
instance, Spora drops ransomware copies in network shares. WannaCrypt exploits the Server Message Block (SMB) vulnerability
CVE-2017-0144 (also called EternalBlue) to infect other computers. A Petya variant exploits the same vulnerability,
in adddition to CVE-2017-0145 (also known as EternalRomance), as well as stolen credentials to move laterally across
affected networks.

How big is the ransomware problem?

Over the last few years, ransomware has rapidly evolved into one of the most lucrative revenue channels for cybercriminals.

Cybercriminals can launch ransomware attacks using ransomware-as-a-service (RaaS). RaaS is a cybercriminal business
model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the
ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators,
and other parties that may be involved. For cybercriminals, ransomware is a lucrative business, at the expense
of individuals and businesses.

We observed a downward trend towards the end of 2016, but the number of ransomware in the wild started to pick up again in February 2017. In addition, we’re still seeing significant amounts of email that carry ransomware downloaders. A total of 500M of these emails are being sent out every quarter, but a lot of them are blocked from downloading and executing ransomware.

Ransomware is a global problem. The US, China, Russia, Republic of Korea, and Italy saw the most ransomware encounters in the first six months of 2017.

Geographic distribution of ransomware encounters, January-June 2017

LockScreen (which is a detection for ransomware for the Android platform) and Cerber are two of the most widespread ransomware families in the first half of 2017. WannaCrypt, which caused an outbreak affecting out-of-date computers in May 2017, was the third most prominent overall. Spora, a family that emerged in January 2017, immediately became of the most widespread ransomware families.

Top ransomware families and top 5 ransomware in top 5 countries, January -June 2017

Details for enterprises and IT professionals

Multiple high-profile incidents have demonstrated that ransomware can affect enterprise networks. Organizations can
be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations.
In any case, the impact of ransomware infections in organizations is higher, because the value of files is higher.
Attackers can take advantage of this and can demand for more bigger ransom when they hit high profile targets.

Additionally, malware authors have been innovating their malware code to include behavior that are impacting organizations.
For instance, some ransomware can encrypt files found in enterprise environments, including those found in servers
and mapped drives. Newer ransomware also add capabilities to spread using network drives or by exploiting vulnerabilities.

How do I protect my network from ransomware?

We suggest enterprises to take the "assume breach" mindset. Protect, contain, and isolate your high value assets.

Back up your most important files regularly. Use the 3-2-1 rule. Use OneDrive for Business to do a daily backup of
files. You can use your backup to restore files in the event of an infection. Learn how.

Use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications
to run. This can effectively prevent ransomware and other dangerous software from executing.

Additionally, educate your employees so they can identify social engineering and spear-phishing attacks.

Some ransomware arrive via exploit kits. Keep your operating system and software up-to-date. Use Microsoft Edge, which can protect against ransomware
by preventing exploit kits from running and executing ransomware. Using Microsoft SmartScreen,
Microsoft Edge blocks access to malicious websites, such as those hosting exploit kits.

How do I detect ransomware in my network?

Enable Windows Defender Antivirus to detect ransomware, as well as the exploit kits and trojan downloaders that install them. It uses cloud-based
protection, helping to protect you from the latest threats.

Windows Defender Antivirus is built into Windows 10 and, when enabled,
provides real-time protection against threats. Keep Windows Defender Antivirus and other software up-to-date to get the latest protection.

How do I respond to ransomware attacks?

Use Windows Defender Advanced Threat Protection (Windows Defender ATP) to rapidly respond to ransomware attacks. Windows Defender ATP alerts security operations
teams about suspicious activities. These include alerts for PowerShell command execution, TOR website connection,
launching of self-replicated copies, and deletion of volume shadow copies. These are behaviors exhibited by some ransomware families,
such as Cerber, and could be observed ransomware in the future. Evaluate Windows Defender ATP free of charge.

Details for home users: Frequently asked questions

Ransomware can prevent you from accessing your documents, photos, and other important files. Ransomware can employ
pesky social engineering tactics to pressure you to pay the ransom. Some ransomware, for instance, use a timer that
counts down the time you have left to pay the ransom. Some ransomware even play an audio file, informing you about
the infection and what to do to get access to files.

How did ransomware get in my PC?

Here are ways in which ransomware can infect your computer:

Via email: Ransomware may be installed by downloader trojans attached to spam emails. These email messages
employ various social engineering techniques to get you to open the attachment. They can pretend to be credit
card bills, job applications, or documents from someone important. If you open the attachment, it installs
ransomware on your computers.

From the web: Ransomware may also be downloaded automatically when you visit certain sites. These sites contain
malicious code known as exploit kits, which take advantage of outdated software to install ransomware on
your computer.

How do I protect my computer against ransomware?

As with all threats, prevention is key. This is especially true for malware as damaging as ransomware.

You should:

Back up your important files regularly. Consider using the 3-2-1 rule: Make three backup copies, store in at
least two locations, with at least one offline copy. Use a cloud storage service, like OneDrive, which is fully integrated into Windows 10, to store an archive
of your files. You can try to restore your files from backup in the event of a ransomware infection.

Install and use an up-to-date antivirus solution. In Windows 10, Windows Defender Antivirus is built-in and
need only to be enabled. Learn how.

Don’t click links or open attachments or emails from people you don’t know or companies you don’t do business
with.

If you are unable to download or run Microsoft Safety Scanner, use the free standalone tool Windows Defender Offline.
Download a copy of Windows Defender Offline using a clean, non-infected PC. Insert a blank USB flash drive or CD
into the PC. When you run Windows Defender Offline, you will be prompted to install the tool on the USB flash drive
or CD.

Once Windows Defender Online is installed on the removable media, insert it into the infected PC, then restart. You
will then be prompted to run the Windows Defender Online tool.

Should I pay the ransom? How do I get my files back?

Paying the ransom does not guarantee that you will be able to decrypt your files. In some cases, paying the ransom
can make you a target for more malware attacks.

Restore from an offline backup

Before you try to restore files, make sure you have removed all ransomware infections from your PC. Use Windows Defender
Antivirus to do a full scan of your computer.

You can then try to restore your files from an offline backup.

Restore from OneDrive

If you’re using OneDrive, you can try to restore older versions of your files.

As part of its security features,
OneDrive creates an online backup of Microsoft Office files when you save or change the file.

To see if there are older versions of your file, go to OneDrive on the web.
Right-click on a file you want to restore and click Version history.

Restore using File History

If you have File History (or System Protection in older Windows versions) enabled,
you can try to restore files.

Note, however, that some ransomware also encrypt or delete backups of your files. This means that even if you have
File History enabled, but you have set up the backup on your PC, your backups might be encrypted. If you backed
up on a removable drive or a network drive that wasn’t connected when your PC was infected, try to restore from
that backup instead.

What should I do if I’ve already paid?

You should contact your bank and your local authorities, such as the police. If you paid with a credit card, your
bank may be able to block the transaction and return your money.

The following government-initiated fraud and scam reporting websites may also help: